Cookies are text files that websites store in your web browser to remember things such as your user name, your policy preferences, or your progress on a website. The GDPR’s full-force arrival in the European Union led websites scrambling to be compliant by the deadline, and that includes cookie script management. The most commonly used method for cookie compliance is by adding a cookie popup on the website. As per the EU cookie laws and the likes, your website must inform users about the use of cookies and their purpose before storing the cookies. However, this information must be created as per the law requirements, and that is exactly what we call a cookie text. We will cover all the essential details and the best practices for a legally compliant cookie text.

What is cookie text?

Cookie text is the message on a website to inform users about cookies and for what purpose they are used. Various data protection laws require websites to provide their users with this information to obtain voluntary consent for using cookies. This notification or message appears on a website’s consent banner. 

Cookie texts differ from the cookie policy statements, which is a detailed account of what cookies are deployed on the site, how they will be used, and how the users can manage them (especially the third-party settings). 

Website cookie consent text is usually the first thing the users will see when they visit a website. When the user visits a website for the first time, the website must ask for consent to use cookies before storing them on user devices. Therefore, a cookie banner or notice to inform them about cookies and to ask their permission is a mandatory requirement. 

Here is an example of a cookie text:

cookie text in cookieyes consent banner
Cookie text in CookieYes consent banner

The cookie text’s content may extend beyond just the first layer of message on the banner to the second layer, where you can see the explanation of different types of cookies used and settings to give consent to them.

GDPR cookie text requirements

The GDPR does not explicitly mention cookies in its official document. However, the scope of personal data identifiers in the regulation includes cookies. Any information that directly or indirectly links to a person is referred to as personal data in the GDPR. In that terms, cookies collect and use user data that can be used to identify the users. Therefore, cookie identifiers are considered personal data under GDPR, and using cookies is subject to the law. This only applies to cookies that collect and use personally identifiable information and share them with third parties. Therefore, cookies that are strictly necessary for a website to function are exempted from GDPR cookie consent.

As per the GDPR, a website must follow the following practices to make its use of cookies compliant.

  • Inform users about using cookies and their purpose when they visit the website.
  • Allow them to accept and reject cookies before storing them on their device. 
  • Keep cookies (except strictly necessary cookies) blocked until the user gives consent. 
  • Let users select what cookies they want the website to store on their device.
  • Allow users to withdraw cookie consent if necessary.
  • Keep a log of all the user consent.
  • Renew cookie consent every 6 months (depends on the local data protection authority guidelines).

Cookie text is all about informing the users about these details. Well, at least some of them.

The cookie text on the consent banner must convey in simple and plain language that the website uses cookies and what they do. It must clearly explain how the users can opt-in or opt out of it or use settings to choose their preferences. The text should also link to the privacy or cookie policy for detailed information on cookies.

The GDPR emphasizes using clear and easy-to-understand language for such information. The users must be able to make an informed decision after reading the text. Therefore, it is wise to avoid legal or technical jargon in the cookie text.

Here is an example of a GDPR-compliant cookie text on a consent banner:

GDPR-compliant cookie banner [Source: CookieYes]

Clicking on Customize will open the cookie preference settings, where users can choose between the cookie categories they want to consent. Here, the cookie text conveys why these cookies are used:

Cookie preference settings

Want a cookie banner like this on your website?

Try CookieYes for a hassle-free cookie banner setup and cookie consent management for GDPR and CCPA compliance.

Try free cookie banner

*Free 14-day trial *Cancel anytime

CCPA cookie text requirements

CCPA’s rules for regulating personal data resemble GDPR in many ways. However, one of the most striking differences is that US law does not demand businesses to obtain consent before collecting personal data. But if the users are not okay with the data collection, they must be able to opt out of it. Therefore, the CCPA requires businesses to adopt just the opt-out model rather than the opt-in and opt-out like GDPR.

Hence, a website that is subject to CCPA doesn’t have to get user consent to use cookies but the option to reject cookies. The point to remember here is that the website doesn’t have to let users opt out of all cookies but those that collect and sell their personally identifiable information to third parties. You can implement the opt-put via a “Do Not Sell My Personal Information” link, placed on the consent notice and the homepage. The DNSMPI page should explain how users can block the tracking technology that sells or shares their information with third parties.

for CCPA compliance, best practices for cookie notification are:

  • Inform users about cookies and their source and purpose.
  • Allow users to opt out of cookies (DNSMPI link) that sell personal information.
  • Link to privacy or cookie notice that explains what type of cookies the site uses, the source, the data collected, their purpose, and how users can control them.

Example of a CCPA-compliant cookie text on a consent notice:

CCPA-compliant cookie text

Best practices for a legally compliant cookie text

As we’ve seen, the GDPR and CCPA have similar requirements for cookie text. IT depends on which law applies to your website. In case, both the laws apply, you can follow the common practices that will ensure that you are on the right side of the two laws. Not only that, these guidelines will even help if your website will be subject to other major privacy laws in the world.

On the first appearance, the cookie banner/notice text must satisfy these requirements:

  • Use simple and easy-to-understand language.
  • Avoid technical and/or legal terms that would confuse a layperson. 
  • Make it clear that the users have the option to opt out of cookies or accept only certain categories of cookies.
  • Do not assume that the users are okay with cookies without giving them the option to opt out.
  • Mention it clearly in case you use only necessary cookies that do not require consent.
non compliant cookie text
This cookie text is not GDPR compliant if your website uses third-party cookies
  • Add conspicuous opt-in and opt-out options (users understand words like “accept all” and “reject all” more than other technical terms) and preferably of the same format level.
  • Add a link to the privacy policy and/or DNSMPI page (for CCPA) as part of the text to inform users about cookies in detail.

When they select cookie settings, the cookie text must explain:

  • What each category of cookies means.
  • Each category must have separate consent options., and this should be presented clearly.
  • Button to save the cookie preferences.

Frequently asked questions

How do cookies track you?

Cookies are the little bits of code that websites use to track users. When a user visits a website, the web server sends back a cookie with an ID that is unique to them. The next time the user visits the same site, the browser will send the cookie back to that site so it can identify them.

Why do I keep getting cookie messages?

Laws like GDPR and CCPA require websites to inform their users about cookies and their purpose before using them. Cookie messages or texts are this information that lets users know what cookies will be stored on their device if they accept them and that they have the option to reject them. Over the last few years, these laws have come down on many businesses that violated these rules. So, the websites now are more serious about cookie messages.

Should you accept cookies?

Accepting cookies is a choice to be made based on the type of cookies. you can accept the cookies if they do not share your personal data with third parties or interpret with your privacy. But if these cookies are set by third parties and they will likely use your personal data to track you, you may want to rethink accepting them. It is better to block cookies if you have to share private or sensitive information like bank details or medical data or if the website is not encrypted. 

What is the purpose of cookies?

Cookies are used to improve a website’s operation and services or perform additional services. The most common purposes are remembering login credentials, holding items in an online shopping cart, placing targeted advertisements, gathering analytics, and improving user experience. Therefore, the purpose of cookies varies depending on their type and source. Read more about cookies and how they work here.

Should I delete cookies?

Like accepting cookies, deleting cookies is a choice you need to make depending upon the type of cookies, website security, and the type of data shared.
It is ideal to delete cookies if:

  • the cookies collect and track your information;
  • the website is not secure; or
  • you have shared private or sensitive information with the website.
You can find the option to delete or clear cookies in most web browser settings.
Learn how to manually check cookies in your web browser.

How to clear cookies in your web browser?

In Chrome:

  • Click the three dots in the top right corner
  • Click More tools > Clear browsing data.
  • Check the Cookies and other site data checkbox and click Clear data to clear all cookies.
  • or you can go to Privacy and security in settings and select Cookies and other site data > sell all cookies and site data to selectively clear cookies.
In Firefox:
  • Click the three lines in top right corner and click Settings.
  • Select Privacy & Security and scroll down to Cookies and Site Data.
  • Click Clear Data and press the Clear button (ensure that the Cookies and Site Data checkbox is ticked) to clear cookies.
  • In the dialog box, Click Clear Now to confirm.
In Safari:
  • Select Preferences from the top left corner menu.
  • Select the Privacy tab.
  • Click the Remove All Website Data button.
  • Click Remove Now in the popup window to clear cookies.

are you an agency?

Deploy cookie banners on multiple client websites with our agency platform.

Partner with CookieYes

Up to 50% off on licenses